Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1592
Views
0
Helpful
2
Replies

Critical Authentication event - reinitialize all sessions

andrewswanson
Level 7
Level 7

‎08-01-2018 05:42 AM - edited ‎03-11-2019 01:47 AM

 

Hi

I'm working on a ISE/Trustsec deployment for wired devices using ibns 2.0. The dev environment is working well:

 

  • Clients authenticate successfully and are dynamically assigned SGTs from ISE
  • Switches download CTS environment data from ISE (SGTs and SGACLs) and ISE policy is enforced correctly.

 

I'm now looking at how to handle a critical authentication event where ISE becomes unavailable:

 

  • Unauthenticated clients are authorised ok by the switch's ibns 2.0 identity control policy. SGTs are applied statically though VLAN membership
  • CTS environment data (SGTs and SGACLs) learned from ISE eventually times out (ISE default for this timeout is 24 hours).
  • Clients that authenticated successfully (before RADIUS became unavailable) remain authorised with their dynamically assigned SGT. Periodic authentication isn't enabled so clients remain authorised until the session ends.

The problem I'm seeing is that if ISE is unavailable for long enough and the switch's CTS environmental data times out, then the switch loses the SGACLs/SGTs required to enforce policy for the ISE authenticated devices with their dynamically assigned SGTs.

 

I thought the old legacy 802.1x command "authentication event server dead action reinitialize vlan X" might help reinitialize authenticated clients when a critical authentication event occurs but the bug CSCul89568 (and my testing) shows that this is only possible if periodic authentication is enabled.

 

I created a simple EEM script below which clears all authenticated sessions when RADIUS becomes unavailable. Clients are then authorised by the switch with statically assigned SGTs (enforcement is done through static SGACLs).

 

event manager applet CRITICAL-CLEAR-SESSIONS
event syslog pattern "RADIUS-4-RADIUS_DEAD" maxrun 5
action 1.0 cli command "enable"
action 1.1 cli command "clear access-session"

 

Can anyone suggest a better way of dealing with this kind of event? I could increase the cts environmental data timeout or enable periodic authentication.

 

Thanks
Andy

0 Helpful
2 Replies 2

david.2018
Level 1
Level 1

‎04-04-2019 01:01 AM

Hi,

 

have you tried enabling cts cache to store the environment data and SGACL into flash. This way the last entry into cache before ISE dies will be used.

0 Helpful

andrewswanson
Level 7
Level 7
In response to david.2018

‎04-04-2019 01:59 AM

Hi David


Thanks for the response. CTS cache isn't supported on Catalyst 3ks so that wasn't an option.

 

Currently, I have periodic authentication enabled for all clients - during a Critical Authentication event, all clients are re-authenticated before the cts environment data times out.

 

Andy

0 Helpful
Customers Also Viewed These Support Documents